JianQi Zhu,Yanheng Liu,Xu Yang,Xin Sun

2010-01-01

Journal of Computational Information Systems

Abstract:The severity and number of intrusions on computer networks are rapidly increasing, which requires advances not only in detection algorithm, but also in automatic response techniques. In this paper, a new approach to automatic response called DGII_IDR is presented that employs a game-theoretic response strategy against adversaries. It transforms the incomplete information dynamic game into a complete but imperfect information game by Harsanyi transformation. The optimal response is chosen by the use of perfect Bayesian equilibrium to revise the posterior belief of player's type continuously. Moreover, DGII_IDR solved the conflict between the rational assumption and irrational behavior of attacker/defender by restricting their strategies in game theory. We also show how our game theoretical framework can be applied to configure the intrusion detection strategies in realistic scenarios via a case study and demonstrate the effectiveness of DGII_IDR. Copyright © 2010 Binary Information Press.

Qiumei Cheng,Chunming Wu,Bin Hu,Dezhang Kong,Boyang Zhou

DOI: https://doi.org/10.1109/globecom38437.2019.9013291

2019-01-01

Abstract:The intrusion response system is dedicated to automatically respond to sophisticated network intrusions, which is a sequential decision-making problem for autonomous agents. The current Markov decision process (MDP) or stochastic games based solutions suffer from several weaknesses: (i) The MDPbased approach is unable to explicitly model the opponents; (ii) The Nash equilibrium approach of stochastic games cannot handle the condition with multi equilibria. Existing studies have not considered the cognitive ability of the agent and lack of explicit opponent modeling. Inspired by recursive reasoning, this paper introduces a theory of mind (ToM)-based stochastic game-theoretic approach to reason about the beliefs and behaviors of the attackers. Each agent maintains different order ToM beliefs concerning his opponent with explicit opponent modeling. In order to accurately predict the attacker's action with nested beliefs, we utilize the Bayesian attack graph (BAG) to model multi-step attacks scenarios. In addition, the agent is allowed to learn from new information to adjust his beliefs and learning speed. Simulation results validate that ToM modeling performs well in the intrusion response system than random defense actions. Besides, a defender with first-order ToM beliefs always wins an attacker with zero-order ToM beliefs.

Zhiyong Wang,Shengwei Xu,Guoai Xu,Yongfeng Yin,Miao Zhang,Dawei Sun

DOI: https://doi.org/10.1155/2020/8824163

IF: 1.968

2020-01-01

Security and Communication Networks

Abstract:In this paper, the game theoretical analysis method is presented to provide optimal strategies for anomaly-based intrusion detection systems (A-IDS). A two-stage game model is established to represent the interactions between the attackers and defenders. In the first stage, the players decide to do actions or keep silence, and in the second stage, attack intensity and detection threshold are considered as two important strategic variables for the attackers and defenders, respectively. The existence, uniqueness, and explicit computation of the Nash equilibrium are analyzed and obtained by considering six different scenarios, from which the optimal detection and attack actions are provided. Numerical examples are provided to validate our theoretical results.

Hao Wu,Wei Wang,Changyun Wen,Zhengguo Li

DOI: https://doi.org/10.1016/j.ins.2018.04.051

IF: 8.1

2018-01-01

Information Sciences

Abstract:In this paper, a game theoretical analysis method is presented to provide the optimal security detection strategies for heterogeneous networked systems. A two-stage game model is firstly established, in which the attacker and defender are considered as two players. In the first stage, the two players make decisions on whether to execute the attack/monitoring actions or to keep silence for each network unit. In the second stage, two important strategic varibles, i.e. the attack intensity and detection threshold, are cautiously determined. The necessary and sufficient conditions to ensure the existence of the Nash equilibriums for the game with complete information are rigorously analyzed. The results reflect that with limited resources and capacities, the defender (attacker) tends to perform defense (attack) actions and further allocate more defense (less attack) resources to the units with larger assets. Besides, Bayesian and robust Nash equilibrium analysis is provided for the game with incomplete information. Finally, a sampling based Nash equilibrium verification and calculation approach is proposed for the game model with continuous kernels. Thus the convexity restrictions can be relaxed and the computational complexity is effectively reduced, with comparison to the existing recursive calculation methods. Numerical examples are given to validate our theoretical results.

He Wei,Chunhe Xia,Haiquan Wang,Zhang Cheng,Ji Yi

DOI: https://doi.org/10.1109/csse.2008.1651

2008-01-01

Abstract:How to quantify the threat probability in network security risk assessment is an important problem to be solved. Most of the existing methods tend to consider the attacker and defender separately. However, the decision to perform the attack is a trade-off between the gain from a successful attack and the possible consequences of detection; meanwhile, the defender’s security strategy depends mostly on the knowledge of the intentions of the attacker. Therefore, ignoring the connections between the attacker and defender’s decisions does not correspond to reality. Game theory is the study of the ways in which strategic interactions among rational players produce outcomes with respect to the utilities of those players. In this paper, a novel Game Theoretical Attack-Defense Model (GTADM) which quantifies the probability of threats is proposed in order to construct a risk assessment framework. According to the cost-benefit analysis, we define the method of formulating the payoff matrix; the equilibrium of the model is also analyzed. In the end, a simple scenario is presented to illustrate the usage of GTADM in the risk assessment framework to show its efficiency.

WANG Lei,JIANG Xing-hao,ZHANG Shao-jun,LI Jian-hua

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.12.054

2007-01-01

Abstract:In this paper, an intrusion detection framework based on bimatrix game theory is proposed. First, a non- cooperative game between an attacker and a defender is defined. And then, the Nash equilibrium of the game is obtained based on Lemke-Howson algorithm. Finally the conclusion is presented.

Ziqin Chen,Guanpu Chen,Yiguang Hong

DOI: https://doi.org/10.1142/s2301385024410152

2024-01-01

Unmanned Systems

Abstract:In this paper, we propose a game theory framework to solve advanced persistent threat problems, especially considering two types of insider threats: malicious and inadvertent. Within this framework, we establish a unified three-player game model and derive Nash equilibria in response to different types of insider threats. By analyzing these Nash equilibria, we provide quantitative solutions to advanced persistent threat problems pertaining to insider threats. Furthermore, we have conducted a comparative assessment of the optimal defense strategy and corresponding defender's costs between two types of insider threats. Interestingly, our findings advocate a more proactive defense strategy against inadvertent insider threats in contrast to malicious ones, despite the latter imposing a higher burden on the defender. Our theoretical results are substantiated by numerical results, which additionally include a detailed exploration of the conditions under which different insiders adopt risky strategies. These conditions can serve as guiding indicators for the defender when calibrating their monitoring intensities and devising defensive strategies.

Wenjun Ma,Weiru Liu,Paul Miller,Xudong Luo

2014-01-01

Abstract:Threat intervention with limited security resources is a challenging problem. An optimal strategy is to eectively predict attackers’ targets (or goals) based on current available information, and use such predictions to disrupt their planned attacks. In this paper, we propose a game-theoretic framework to address this challenge which encompasses the following three elements. First, we design a method to analyze an attacker’s types in order to determine the most plausible type of an attacker. Second, we propose an approach to predict possible targets of an attack and the course of actions that the attackers may take even when the attackers’ types are ambiguous. Third, a game-theoretic based strategy is developed to determine the best intervention approaches taken by defenders (security resources).

Feng Yang,Xuehai Zhou,Gangyong Jia,Qiyuan Zhang

DOI: https://doi.org/10.1109/cnsr.2010.24

2010-01-01

Abstract:In this paper, we propose an intrusion detection framework for smartphone systems. We formulate the intrusion detection problem into a two-player, non-cooperative, complete-information, constant-sum game. The attacker and the security server are the players of the game. The security server wants to maximize the value of the system but the attacker wants to minimize it. We present the Nash equilibrium and the Nash equilibrium leads to a defense strategy for the security server. We implement the framework and the results show that the proposed defense strategy is better than traditional ones.

Wenjun Ma,Weiru Liu,Paul Miller,Xudong Luo

DOI: https://doi.org/10.5555/2615731.2616064

2014-01-01

Abstract:Threat intervention with limited security resources is a challenging problem. An optimal strategy is to effectively predict attackers' targets (or goals) based on current available information, and use such predictions to disrupt their planned attacks. In this paper, we propose a game-theoretic framework to address this challenge which encompasses the following three elements. First, we design a method to analyze an attacker's types in order to determine the most plausible type of an attacker. Second, we propose an approach to predict possible targets of an attack and the course of actions that the attackers may take even when the attackers' types are ambiguous. Third, a game-theoretic based strategy is developed to determine the best intervention approaches taken by defenders (security resources).

Nianyu Li,Mingyue Zhang,Jialong Li,Sridhar Adepu,Eunsuk Kang,Zhi Jin

DOI: https://doi.org/10.1145/3652949

2024-03-22

ACM Transactions on Autonomous and Adaptive Systems

Abstract:Security attacks present unique challenges to the design of self-adaptation mechanism for software-intensive systems due to the adversarial nature of the environment. Game-theoretical approaches have been explored in security to model malicious behaviors and design reliable defense for the system in a mathematically grounded manner. However, modeling the system as a single player, as done in prior works, is insufficient for the system under partial compromise and for the design of fine-grained defensive policies where the rest of the system with autonomy can cooperate to mitigate the impact of attacks. To address such issues, we propose a new self-adaptation framework incorporating Bayesian game theory and model the defender (i.e., the system) at the granularity of components. Under security attacks, the architecture model of the system is automatically translated, by the proposed translation process with designed algorithms, into a multi-player Bayesian game. This representation allows each component to be modelled as an independent player, while security attacks are encoded as variant types for the components. By solving for pure equilibrium (i.e., adaptation response), the system’s optimal defensive strategy is dynamically computed, enhancing system resilience against security attacks by maximizing system utility. We validate the effectiveness of our framework through two sets of experiments using generic benchmark tasks tailored for the security domain. Additionally, we exemplify the practical application of our approach through a real-world implementation in the Secure Water Treatment System to demonstrates the applicability and potency in mitigating security risks.

computer science, information systems, artificial intelligence, theory & methods

Guoxin Wu

2007-01-01

Abstract:A mathematical analysis of the properties of intrusion detection system(IDS) are given first,taking alarm confidence,response cost,and damage cost into consideration,a lowest cost-sensitive response decision modle is presented.This modle can adaptively adjust response measures by IDS's alarm confidence and intrusion response system's(IRS) response execution.An adaptive intrusion response system based on active network is designed.Intuitively,this system will provide more flexibility,expansibility and robustness.

Jianye Hao,Yinxing Xue,Mahinthan Chandramohan,Yang Liu,Jun Sun

DOI: https://doi.org/10.1109/ictai.2015.154

2015-01-01

Abstract:Network monitoring is an important way to ensure the security of hosts from being attacked by malicious attackers. One challenging problem for network operators is how to distribute the limited monitoring resources (e. g., intrusion detectors) among the network to detect attacks in a cost-effective manner, especially when the attacking strategies can be changing dynamically and unpredictable. To this end, we adopt Markov game to model the interactions between the network operator and the attacker and propose an adaptive Markov strategy (AMS) to determine how the detectors should be placed on the network against possible attacks to minimize the network's accumulated cost over time. The AMS is guaranteed to converge to the best response strategy when the attacker's strategy is fixed (rationality), converge to a fixed strategy under self-play (convergence) and obtain a payoff no less than that under the precomputed Nash equilibrium strategy of the Markov game (safety). The experimental results show that the AMS can achieve better protection for the network compared with both previous approaches based on the prediction of attack paths (equivalent to a graph coloring problem) and Nash equilibrium strategy.

Ya-Peng Li,Suo-Yi Tan,Ye Deng,Jun Wu

DOI: https://doi.org/10.1063/1.5029343

2018-01-01

Abstract:Dealing with the protection of critical infrastructures, many game-theoretic methods have been developed to study the strategic interactions between defenders and attackers. However, most game models ignore the interrelationship between different components within a certain system. In this paper, we propose a simultaneous-move attacker-defender game model, which is a two-player zero-sum static game with complete information. The strategies and payoffs of this game are defined on the basis of the topology structure of the infrastructure system, which is represented by a complex network. Due to the complexity of strategies, the attack and defense strategies are confined by two typical strategies, namely, targeted strategy and random strategy. The simulation results indicate that in a scale-free network, the attacker virtually always attacks randomly in the Nash equilibrium. With a small cost-sensitive parameter, representing the degree to which costs increase with the importance of a target, the defender protects the hub targets with large degrees preferentially. When the cost-sensitive parameter exceeds a threshold, the defender switches to protecting nodes randomly. Our work provides a new theoretical framework to analyze the confrontations between the attacker and the defender on critical infrastructures and deserves further study. Published by AIP Publishing.

Wei Jiang,Zhi-Hong Tian,Hong-Li Zhang,Xin-fang Song

DOI: https://doi.org/10.1109/ICNSC.2008.4525297

2008-01-01

Abstract:This paper presents a stochastic game theoretic approach to analyzing attack prediction and the active defense of computer networks. A Markov chain for privilege (MCP) model to predict attacker's behavior and strategies is proposed. We regard the interactions between an attacker and the defender as a two-player, non-cooperative, zero-sum, finite stochastic game and formulate an attack-defense stochastic game (ADSG) model for the game. An attack strategies prediction and optimal active defense strategy decision algorithm is developed using the ADSG and cost-sensitive model. Optimal defense strategies with minimizing costs are used to defend the attack and harden the network in advance. Finally, a simple example of an attack against a network is modeled and analyzed.

Ziqin Chen,Guanpu Chen,Yiguang Hong

DOI: https://doi.org/10.48550/arXiv.2209.08476

2022-09-18

Abstract:In this paper, we propose a game-theoretical framework to investigate advanced persistent threat problems with two types of insider threats: malicious and inadvertent. Within this framework, a unified three-player game is established and Nash equilibria are obtained in response to different insiders. By analyzing Nash equilibria, we provide quantitative solutions to the advanced persistent threat problems with insider threats. Furthermore, optimal defense strategy and defender's cost comparisons between two insider threats have been performed. The findings suggest that the defender should employ more active defense strategies against inadvertent insider threats than against malicious insider threats, despite the fact that malicious insider threats cost the defender more. Our theoretical analysis is validated by numerical results, including an additional examination of the conditions of the risky strategies adopted by different insiders. This may help the defender in determining monitoring intensities and defensive strategies.

Optimization and Control

Zhen Ni,Qianmu Li,Gang Liu

DOI: https://doi.org/10.1109/mc.2018.2141032

2018-01-01

Computer

Abstract:Network security decisions must consider how to balance information security risk and output in light of limited resources. Using game theory, the authors propose an optimum attack-defense decision-making algorithm that considers the interaction between attackers and defenders.

Lemonia Dritsoula,Patrick Loiseau,John Musacchio

DOI: https://doi.org/10.48550/arXiv.1207.0745

2012-07-04

Abstract:We consider a game in which a strategic defender classifies an intruder as spy or spammer. The classification is based on the number of file server and mail server attacks observed during a fixed window. The spammer naively attacks (with a known distribution) his main target: the mail server. The spy strategically selects the number of attacks on his main target: the file server. The defender strategically selects his classification policy: a threshold on the number of file server attacks. We model the interaction of the two players (spy and defender) as a nonzero-sum game: The defender needs to balance missed detections and false alarms in his objective function, while the spy has a tradeoff between attacking the file server more aggressively and increasing the chances of getting caught. We give a characterization of the Nash equilibria in mixed strategies, and demonstrate how the Nash equilibria can be computed in polynomial time. Our characterization gives interesting and non-intuitive insights on the players' strategies at equilibrium: The defender uniformly randomizes between a set of thresholds that includes very large values. The strategy of the spy is a truncated version of the spammer's distribution. We present numerical simulations that validate and illustrate our theoretical results.

Computer Science and Game Theory

Siyang Yu,Fan Wu,Baoding Chen,Ronghui Cao,Zhibang Yang,Keqin Li

DOI: https://doi.org/10.1002/cpe.7826

2023-01-01

Abstract:SummaryWith the rise of industrialization, the importance of the industrial Internet of Things (IIoT) has increased significantly, and with it comes a variety of security threats. Therefore, the security of these networks is critical. Industrial Response Systems (IRSs), as the last line of security, plays an important role in the security system of the Industrial Internet of Things. In this paper, a new IRS model based on the non‐cooperative game is proposed. First, by combining the Partially Observable Markov Decision Process (POMDP) model with the stochastic game model based on the expanded attack tree, our model could effectively perceive the changes at each node. Second, our model incorporates the alarms of intrusion detection system (IDS) and the physical quantities of sensors in Industrial Cyber‐Physical System (ICPS) into the quantization system so that the model can respond to intruders more accurately and comprehensively. Finally, we develop this model based on multiprocessors to speed up the solution process, and adopt an approximation algorithm to reduce the number of iterations of the POMDP

Linan Huang,Quanyan Zhu

DOI: https://doi.org/10.1016/j.cose.2019.101660

2019-11-05

Abstract:Advanced Persistent Threats (APTs) have recently emerged as a significant security challenge for a cyber-physical system due to their stealthy, dynamic and adaptive nature. Proactive dynamic defenses provide a strategic and holistic security mechanism to increase the costs of attacks and mitigate the risks. This work proposes a dynamic game framework to model a long-term interaction between a stealthy attacker and a proactive defender. The stealthy and deceptive behaviors are captured by the multi-stage game of incomplete information, where each player has his own private information unknown to the other. Both players act strategically according to their beliefs which are formed by the multi-stage observation and learning. The perfect Bayesian Nash equilibrium provides a useful prediction of both players' policies because no players benefit from unilateral deviations from the equilibrium. We propose an iterative algorithm to compute the perfect Bayesian Nash equilibrium and use the Tennessee Eastman process as a benchmark case study. Our numerical experiment corroborates the analytical results and provides further insights into the design of proactive defense-in-depth strategies.

Computer Science and Game Theory,Cryptography and Security